Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Bernstein (University of Illinois at Chicago) Tanja Lange (TU Eindhoven) and ECC, Sep 24, 2008 ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 1 / 25
Edwards curves Edwards generalized single example x 2 + y 2 = 1 − x 2 y 2 by Euler/Gauss to whole class of curves. He showed that– after some field extensions – every elliptic curve over a field F with char( F ) � = 2 is birationally equivalent to one in the form E c : x 2 + y 2 = c 2 (1 + x 2 y 2 ) , where c ∈ F , c 5 � = c . The simple addition law on this form is given by � x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) , ( x 2 , y 2 ) �→ c (1 + x 1 x 2 y 1 y 2 ) , . c (1 − x 1 x 2 y 1 y 2 ) Bernstein and Lange generalized to the form E d : x 2 + y 2 = 1 + dx 2 y 2 , where d � = 0 , d 4 � = 1 . Every elliptic curve with point of order 4 is birationally equivalent to an Edwards curve. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 2 / 25
Edwards curves Edwards generalized single example x 2 + y 2 = 1 − x 2 y 2 by Euler/Gauss to whole class of curves. He showed that– after some field extensions – every elliptic curve over a field F with char( F ) � = 2 is birationally equivalent to one in the form E c : x 2 + y 2 = c 2 (1 + x 2 y 2 ) , where c ∈ F , c 5 � = c . The simple addition law on this form is given by � x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) , ( x 2 , y 2 ) �→ c (1 + x 1 x 2 y 1 y 2 ) , . c (1 − x 1 x 2 y 1 y 2 ) Bernstein and Lange generalized to the form E d : x 2 + y 2 = 1 + dx 2 y 2 , where d � = 0 , d 4 � = 1 . Every elliptic curve with point of order 4 is birationally equivalent to an Edwards curve. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 2 / 25
Edwards curves The addition law on E d : x 2 + y 2 = 1 + dx 2 y 2 is given by � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) , ( x 2 , y 2 ) �→ . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 3 / 25
Properties of Edwards curves Neutral element is (0 , 1) ; this is an affine point. − ( x 1 , y 1 ) = ( − x 1 , y 1 ) . (0 , − 1) has order 2 ; (1 , 0) and ( − 1 , 0) have order 4 . Addition law produces correct result also for doubling. Unified group operations! Very fast point addition 10M + 1S + 1D. (Even faster with Inverted Edwards coordinates.) Dedicated doubling formulas need only 3M + 4S. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 4 / 25
Complete addition law If d is not a square the denominators 1 + dx 1 x 2 y 1 y 2 and 1 − dx 1 x 2 y 1 y 2 are never 0 ; addition law is complete. Edwards addition law allows omitting all checks Neutral element is affine point on curve. Addition works to add P and P . Addition works to add P and − P . Addition just works to add P and any Q . Only complete addition law in the literature. No exceptional points, completely uniform group operations. The set of curves with complete addition law is not complete! We need Edwards curve in characteristic 2! Even characteristic much more interesting for hardware . . . and soon also in software, cf. Intel’s and Sun’s current announcements to include binary instructions. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 5 / 25
Complete addition law If d is not a square the denominators 1 + dx 1 x 2 y 1 y 2 and 1 − dx 1 x 2 y 1 y 2 are never 0 ; addition law is complete. Edwards addition law allows omitting all checks Neutral element is affine point on curve. Addition works to add P and P . Addition works to add P and − P . Addition just works to add P and any Q . Only complete addition law in the literature. No exceptional points, completely uniform group operations. The set of curves with complete addition law is not complete! We need Edwards curve in characteristic 2! Even characteristic much more interesting for hardware . . . and soon also in software, cf. Intel’s and Sun’s current announcements to include binary instructions. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 5 / 25
Complete addition law If d is not a square the denominators 1 + dx 1 x 2 y 1 y 2 and 1 − dx 1 x 2 y 1 y 2 are never 0 ; addition law is complete. Edwards addition law allows omitting all checks Neutral element is affine point on curve. Addition works to add P and P . Addition works to add P and − P . Addition just works to add P and any Q . Only complete addition law in the literature. No exceptional points, completely uniform group operations. The set of curves with complete addition law is not complete! We need Edwards curve in characteristic 2! Even characteristic much more interesting for hardware . . . and soon also in software, cf. Intel’s and Sun’s current announcements to include binary instructions. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 5 / 25
The design of Binary Edwards Curves How to design a worthy binary partner? Our wish-list after studying and experimenting with mostly small modifications of odd Edwards: A binary Edwards curve should be a binary elliptic curve. look like an Edwards curve (in odd characteristic). have a complete addition law. have easy negation. have efficient doubling. have efficient additions. cover most ordinary binary elliptic curves. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 6 / 25
Newton Polygons, in odd characteristic y y 2 = x 3 + ax + b • Short Weierstrass: x y by 2 = x 3 + ax 2 + x • Montgomery: x y y 2 = x 4 + 2 ax 2 + 1 • Jacobi quartic: x y x 3 + y 3 + 1 = 3 dxy • Hessian: x y x 2 + y 2 = 1 + dx 2 y 2 • Edwards: x ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 7 / 25
The design choices (I) Let E B is defined by F ( x, y ) = 0 . E B should look like Edwards curve; so, deg x ( F ) ≤ 2 and deg y ( F ) ≤ 2 ; so, 2 2 a i,j x i y j = 0 . � � E B : F ( x, y ) = y i =0 j =0 a 0 , 2 a 1 , 2 a 2 , 2 E B should have symmetric formulas, so a 0 , 1 a 1 , 1 a 2 , 1 a i,j = a j,i . E B should be elliptic, so a 2 , 2 � = 0 or a 0 , 0 a 1 , 0 a 2 , 0 x a 1 , 2 = a 2 , 1 � = 0 . If a 2 , 2 = 0 , and a 1 , 2 = a 2 , 1 � = 0 then there are three points at infinity. Moreover the addition law can not be complete (for sufficiently large fields). ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 8 / 25
The design choices (I) Let E B is defined by F ( x, y ) = 0 . E B should look like Edwards curve; so, deg x ( F ) ≤ 2 and deg y ( F ) ≤ 2 ; so, 2 2 a i,j x i y j = 0 . � � E B : F ( x, y ) = y i =0 j =0 a 2 , 0 a 2 , 1 a 2 , 2 E B should have symmetric formulas, so a 1 , 0 a 1 , 1 a 2 , 1 a i,j = a j,i . E B should be elliptic, so a 2 , 2 � = 0 or a 0 , 0 a 1 , 0 a 2 , 0 x a 1 , 2 = a 2 , 1 � = 0 . If a 2 , 2 = 0 , and a 1 , 2 = a 2 , 1 � = 0 then there are three points at infinity. Moreover the addition law can not be complete (for sufficiently large fields). ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 8 / 25
The design choices (I) Let E B is defined by F ( x, y ) = 0 . E B should look like Edwards curve; so, deg x ( F ) ≤ 2 and deg y ( F ) ≤ 2 ; so, 2 2 a i,j x i y j = 0 . � � E B : F ( x, y ) = y i =0 j =0 a 2 , 0 a 2 , 1 E B should have symmetric formulas, so a 1 , 0 a 1 , 1 a 2 , 1 a i,j = a j,i . E B should be elliptic, so a 2 , 2 � = 0 or a 0 , 0 a 1 , 0 a 2 , 0 x a 1 , 2 = a 2 , 1 � = 0 . If a 2 , 2 = 0 , and a 1 , 2 = a 2 , 1 � = 0 then there are three points at infinity. Moreover the addition law can not be complete (for sufficiently large fields). ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 8 / 25
The design choices(II) So, a 2 , 2 = 1 (scale by a 2 , 2 ) . The projective model of 2 2 a i,j x i y j = 0 � � E B : y i =0 j =0 a 2 , 0 a 2 , 1 1 is defined by a 1 , 0 a 1 , 1 a 2 , 1 2 2 a i,j X i Y j Z 4 − i − j = 0 . � � a 0 , 0 a 1 , 0 a 2 , 0 x i =0 j =0 Put Z = 0 to find the points at infinity. Then, X 2 Y 2 = 0 ; so (0 : 1 : 0) and (1 : 0 : 0) are the points at infinity of E B . ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 9 / 25
Recommend
More recommend